How To: Sniffing the Air


Wireless security - two words generally spoken in the same tone as "jumbo shrimp" and "government organization". Because of the nature of the technology, and the easily-broken encryption solutions that are currently out there, it becomes a question of not if, but when an attack will occur. Small- and home-office users are especially vulnerable, as they generally have more important things to worry about than securing their wireless assets and lack the resources of larger companies to devote to a security contact or team.

But all is not lost, as there are ways to verify the security of a wireless network despite the oxymoron that wireless security generally conjures to mind. Intrusion Detection Systems (IDS for short) provide a way to detect these attacks even before they happen, while the intruder is still casing the place. They are not the be-all-end-all to security, but when combined with firewalls and other security tools they can be very powerful. It is helpful to think of IDS as similar to burglar alarms: they will tell you that a break-in has happened, but leave it up to other systems to handle the break-in itself.

The namesake of the Snort IDS

Figure 1: The namesake of the Snort IDS

Snort is an open source IDS that can be custom-tailored to fit your wireless network. Calling itself "the de facto standard for intrusion detection", Snort is flexible, fast, and most importantly, free. All it takes is a little bit of elbow grease to get it up and sniffing away at wireless traffic.

Snort and other IDS can be especially effective when dealing with wireless attacks. In a previous series, Humphrey Cheung talked about how the Wired Equivalent Privacy (WEP) encryption scheme can be easily cracked. In addition to this, even more advanced encryption methods can be cracked and wireless authentication schemes broken by a determined attacker. This makes Snort a vital tool in detecting these kinds of attacks and stopping them before they begin.

There is a version of Snort available that is tailored specifically towards the wireless user. Appropriately titled Snort Wireless, this version contains rules that are suited to detecting some of the most common attacks against a wireless access point, and can also be custom-tailored to the specific needs of a wireless network. This article will give you a basic outline of Snort's operation and how it can be applied to your wireless network, leaving the specifics of deploying it up to you.